We Are Pioneer Group (WAPG) has responsibility under data protection law to provide individuals with information about how we process their personal data. In this policy we will provide you with information that is common to all our processing activities, as well as explaining what rights you have to control how we use your information and how to inform us about your wishes.

In many instances when WAPG collects personal data, we are the Data Controller. As Data Controller, we are responsible for ensuring our systems, processes, suppliers and people comply with data protection laws in relation to the information we handle.

All our people must abide by this policy when handling personal data and take part in any required data protection training.

When we need to let you know about additional privacy information not contained in this policy, such as when we are processing data on behalf of a Data Controller, we will let you know at the point that we collect the relevant personal data from you or within a reasonable period of obtaining your personal data if we get it from someone other than you.

Under the UK General Data Protection Regulation (UK GDPR), tailored by the Data Protection Act 2018, we are only allowed to use your personal data if we have a proper reason to do so.

Data protection law sets out a number of different reasons we may collect and process your personal data. The lawful basis will depend on the specific activity for which we are collecting your personal data, but will usually be one of the following:

  • You have given us permission to do so: In specific situations, we can collect and process your data with your consent – e.g. when you sign up to receive email or postal communication from us. When collecting your personal data, we’ll always make clear to you which data is necessary in connection with particular activities.
  • We need to perform a contract: In some instances, we need to process your personal data to comply with our contractual obligations. For example, if you ask to attend an event and let us know about special dietary requirements, we need your contact details to update you about the event arrangements and to let you know of any changes, and we may also need to pass some of your personal data on to our caterer.
  • We need to comply with a legal obligation: We may be legally bound to collect and process your data. For example, if someone is involved in any criminal activity or fraud affecting us, we need to pass details, which could include personal data, to law enforcement.
  • It is in our legitimate interest: We require your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact your rights, freedom or interests. For example, we may use your event attendance history to offer more personalised event offers. We can only use this lawful basis if our legitimate interests do not override your individual interests, rights and freedoms.

You have rights over your personal data.  Under data protection law:

  • we have to inform you about the collection and use of your personal data, including our purposes for processing your personal data, how long we will keep your data and who we will share your data with (known as the right to be informed);
  • you can ask whether we are processing your personal data and if so, ask for a copy of your information (known as the right of access);
  • you can ask for information to be corrected (known as the right to rectification);
  • you can ask for information to be erased or deleted (known as the right of erasure);
  • you can ask for us to limit or restrict processing (known as the right to restrict processing);
  • you can ask us to send you a copy in a structured digital format or ask for us to send it to another party (known as the right to data portability);
  • you can object to us processing your data, in particular where we use the data for direct marketing, including profiling for direct marketing purposes.  The right to object does not apply if we must process the data to meet a contractual or legal requirement (known as the right to object);
  • you have the right not to be subject to a potentially damaging decision being taken without human intervention (known as rights related to automated decision making and profiling).

Some rights, however, may be limited. We may be obliged by law or regulation to keep information.  We must respect other people’s privacy as well, which means we may need to redact or remove information where it includes personal data about someone else, even if it is connected to your data.  On occasion there may be a compelling legitimate interest to keep processing data.

If you want a copy of your data, to object to how we use your data, or ask us to delete it or restrict how we use it or, please see ‘Getting in touch’ below.

You also have a right to complain to the data protection authority.  This can be where you live, work or where the matter occurred. In the UK, the authority is the Information Commissioner’s Office, please see ‘Contacting the regulator’ below

We only keep your data for as long as is necessary for the purpose it was collected. After that period, your data is deleted or anonymised.  We may also aggregate your personal data with other data to use for business planning and analysis.

At times we need to share your personal data with trusted third parties e.g. delivery couriers, IT companies, credit card processing services and so on. We only provide what they need and they cannot use your data for anything other than the purposes that they have your data for. Your data is deleted or rendered anonymous if we stop working with the third party.

In addition, we may share your personal data with competent authorities processing personal data for legitimate law enforcement purposes.

We will never sell or trade your contact details with any third parties without you giving us your express consent to do so e.g. if you ask to attend an event which is being run explicitly as a joint event with a third-party.

There are some instances where we may have to share your information based on our legal obligations, for instance:

  • Legal, compliance, regulatory and investigative purposes, including for government agencies and law enforcement.
  • When you exercise your rights under data protection legislation, including when you ask to subscribe or unsubscribe from our marketing communications.

Where practical, your personal data will be stored within the UK. This includes data stored in physical format at our sites and in digital format in our own and our service providers systems.

Sometimes we may need to send or store your data outside of the UK.  For example, to follow your instructions, to comply with a legal duty or to work with or receive services from our service providers who we use to support the operation of our business. If we do transfer information outside of the UK, we will make sure that it is protected as required under the UK GDPR, usually through the use of one of the following safeguards:

  • Transfer it to a country with privacy laws that give the same protection as the UK GDPR. The UK Government has the power to determine whether a country has an adequate level of data protection – known as an “adequacy decision”.
  • Put in place a contract with the recipient that means they must protect it to the same standards as the UK or use other mechanisms and measures to achieve adequate protection. We also may use the Standard Contractual Clauses published by the UK Government for this purpose.
  • Use binding corporate rules. These are internal rules adopted by group companies to allow international transfers of personal data to entities within the same corporate group located in countries which do not provide an adequate level of protection.

Our website, apps and marketing emails use cookies and similar technology. Full information is in our Cookie Policy.

Our Company Secretary is responsible for overseeing and monitoring our compliance with data protection laws and this policy.

If you want to make a request in line with your rights, you have any concerns regarding the way in which we are processing your personal data, or you just have a question relating to our processing of your personal data, please contact us by email at [email protected]oup.com or write to us at:  We Are Pioneer Group, BioCity Nottingham, Pennyfoot Street, Nottingham, NG1 1GF

If you are unsatisfied with the way in which we process your personal data, we ask that you let us know so that we can try to put things right. If we are not able to resolve issues to your satisfaction, you can refer the matter to the Information Commissioner’s Office by calling 0303 123 1113 or going online to www.ico.org.uk/concerns.